Customers and admin users have some special requirements and procedures regarding account security. Some things to keep in mind regarding accounts and signing in:
- Users must periodically change their password. This cannot be disabled entirely, but the frequency of this required change can be adjusted with the AdminPwdChangeDays AppConfig.
- After a certain number of failed login attempts (3 by default, controlled by the MaxBadLogins AppConfig), user accounts are temporarily locked out. The length of time of the lockout (30 minutes by default) can be adjusted with the BadLoginLockTimeOut AppConfig.
- By default, customers are not required to use complex passwords with special characters like admin users are. That can be changed by setting the UseStrongPwd AppConfig to true.
- By default, admin passwords must be at least 8 characters long and include at least one upper case character, one lower case character, one number, and one of these characters ~`!@#$%^&*()_+=[]{}|\';\":|/?
The required password format for admin users (and customers if using the special rule described above) can be changed by altering the CustomerPwdValidator AppConfig.
NOTE: This is a regular expression. If it is formatted incorrectly, no one will be able to create new passwords! Be very sure you know what you are doing before making changes.
- You can simplify the temporary passwords created by the software by modifying the value in the AppConfig: NewPwdAllowedChars
- Old admin passwords are stored to prevent admins from reusing the same password when a change is required. The NumPreviouslyUsedPwds AppConfig determines how many previous passwords are saved.
NOTE: The PA-DSS minimum requirement is 4. Changing this to less than 4 is against PA-DSS guidelines.
- By default, admin users are forced to log in again after 15 minutes of sitting idle in the admin site. This is a PA-DSS requirement, which can be overridden by changing the SessionTimeoutInMinutes AppConfig.
NOTE: Changing this to more than 15 minutes is against PA-DSS guidelines.
- Browser password autocomplete can be disabled on email & password fields throughout the application by setting the DisablePasswordAutocomplete AppConfig to true.